Hey everyone

During the past few day's my projects seem to need an internet connection. Sometimes, when I want to run my code, a firewall message pops up, saying that the executable needs access. At this moment, my DeleD code tries to access 192.168.1.37 with the ICMP protocol (I think 192.168.1.37 is localhost in my case).

I'm using Turbo Delphi 2006, and AFAIK "W32/Induc-A" (That bloody delphi virus) can only infect Delphi 4-7. :)

How can this happen? Should I be worried?

Thanks

In theory processes can use sockets to communicate, but i've never seen anyone do that. You say "my DeleD code" so this is happening when you compile and run application without you intentionally opening any connection in code? Some of your components or code somewhere is trying to open socket.

Hey everyone

During the past few day's my projects seem to need an internet connection. Sometimes, when I want to run my code, a firewall message pops up, saying that the executable needs access. At this moment, my DeleD code tries to access 192.168.1.37 with the ICMP protocol (I think 192.168.1.37 is localhost in my case).

I'm using Turbo Delphi 2006, and AFAIK "W32/Induc-A" (That bloody delphi virus) can only infect Delphi 4-7. :)

How can this happen? Should I be worried?

Thanks


Are you compiling your UV plugin, or DeleD CE itself?

Have you tried scanning your plugin or DeleD executable for some virus (W32/Induc-A) or otherwise?

cheers,
Paul

I would definitely take a close look at all the library files for Delphi to check that none of them have been modified. That dammed virus has been in the wild for a while, so it's possible that some git (Delphi is quite popular amongst script kiddies etc. I believe) has modified it to work with newer versions and has possibly include some sort of payload that does more than infect Delphi installations.

Please let us know what you find so we can all keep a look out for it.

Are you compiling your UV plugin, or DeleD CE itself?

Have you tried scanning your plugin or DeleD executable for some virus (W32/Induc-A) or otherwise?


I was compiling DeleD CE.

The full AVG scan just completed. No virus found. I'll run another test soon to specifically check my delphi install.

The problem with this thing is that it doesnt happen very often. I can't really reproduce this to see where it comes from. :?

It just happened again?

Any ways of tracking down the responsible code? It frustrates me to see the firewall window pop up, without being able to trace it >:( (I need to see the callstack or something).

You could look around for calls to IcmpSendEcho in the rtl or the code you use. Eventually you could use a library tracer to see if your program dynamically links to Iphlpapi.dll somehow

If it's in Delphi, compile with the debug DCUs and step through it using the debugger? Thats what I'd do.

If it's in Delphi, compile with the debug DCUs and step through it using the debugger? Thats what I'd do.


The problem is not reproducable, so I guess I'll be stepping for ages before it finally happens. I need a way to check the state of my program when my firewall complains. :)

Maybe I should use "pause" or something. ::)

Search all your project files for 192.168.1.37, or even deep harddisk search for text.

Avria can detect the Delphi "Virus" so try giving it a run. Another thing to keep in mind, if your running the professional or enterprise versions of Vista or Windows 7 operating systems they use named pipe/network drive access to access the local drive (this actually started in NT 3.5 and is a carryover). So you will see traffic to your local IP when connect to a network. When not connected to a network you will not see this activity because the OS is "smart enough" to know better.

Some versions of DelDe are affected by the virus, and yes, it can affect more than just 4-7. I've confirmed infection all the way to 2009. There are also more than one out there, the one we are all familiar with is the SysUtils attack, but there are others :(. Good news is, no one has modified it to attack Lazarus yet (well good news if you use Lazarus).

For tracking it down, there is a way. Make sure your compiling to NATIVE code and not IL/2/3 (sorry, .NET). You can then use a custom memory manager to keep a runtime log or you can use a remote (3rd party) debugger to monitor execution (honestly its been years since I've done this, but it can be done). I can do some backup digging for the units I use to use, but I can't guarantee they still work :)

- Jeremy